Entity Registration - Moderately critical - Access bypass - SA-CONTRIB-2022-063

Project: Entity RegistrationDate: 2022-December-07Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: >=7.1.0 <7.1.9Description: This module enables you to create registration entities related to nodes.
The module doesn't sufficiently restrict update access to a user's own registrations.
This vulnerability is mitigated by the fact that an attacker must have the "update own [registration type]" permission.Solution: Install the latest version:

Note: Sites that allow non-administrative users to manage registrations because the users can update the registration host entity and have "update own registration" permission for a given registration type, may need to give those users the "administer own registration" permission for them to retain the ability to manage registrations after installing this upgrade.Reported By: 

Fixed By: 

Coordinated By: 

Reported at: 20 November 2022

Path to article https://www.drupal.org/sa-contrib-2022-063